Top 3 Security Threats for Banks – And How to Address Them

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.banktech.com/security/top-3-security-threats-for-banks---and-how-to-address-them-/a/d-id/1297396


Financial institutions have many options when it comes to protecting
customer transactions, including advanced software products able to pass
stringent security standards to prevent data loss. But like any other
business, banks’ chief vulnerability point from an operational standpoint
is their people, particularly in the bring-your-own-device (BYOD) era.

Banks are hard-pressed to control the business use of personal devices and
monitor security practices for an increasingly mobile workforce, but there
are steps managers can take to rein in the risks. Here are the top three
security threats banks and other businesses face and ideas on how managers
can mitigate them with better cyber security practices:

1. Weak passwords. Despite many advances in security technology, the
password is still the first line of defense for most bank PCs, laptops, and
personal mobile devices that are used for business. Unfortunately, many
employees still use easy-to-guess passwords, such as their job titles,
children or pet’s names, birth years, and other personal information that
anyone can find on sites like Facebook.

Bank managers should educate employees on proper password protection
methods, such as creating memorable yet difficult-to-crack passwords. One
proven technique is to use a combination of upper and lowercase letters,
symbols, and numbers. Strong passwords incorporating those elements can
also be easy to remember if the employee uses symbols and numbers that
resemble letters in a simple password, such as “Fri$b33” for “Frisbee.”

2. Lack of training. Bank employees who use weak passwords and fail to take
basic security precautions generally don’t mean any harm; typically, they
just don’t fully understand the risks. And while bank managers are
primarily concerned with the possibility of company data falling into the
wrong hands, employees who use personal devices for company business are
also putting their own information at risk, including bank account numbers
and e-commerce accounts.

To address these risks, bank managers can hold training sessions, providing
employees with the basic knowledge they need to safeguard data and secure
their devices. The training curriculum could cover fundamentals such as
techniques for creating secure passwords, including automated password
management systems. It can also include ways to avoid keylogger scams and
phishing cons and information on how to protect devices against viruses and
malware.

3. Lack of accountability. The BYOD trend only started in earnest fairly
recently, so many financial institutions are still catching up. Most have
formulated policies to govern employees’ use of personal devices for
business purposes as well as routine use of company-owned technology
assets, but many don’t have a system in place to hold employees accountable.

To remedy this situation, bank managers can ask employees to read and sign
a written statement acknowledging that they understand the company’s policy
on cyber security and agree to comply with best-practices, preferably after
receiving training from the company or reviewing detailed policy guidelines
that include tips on keeping data and devices safe. The policy should also
include directions on how to ask for support.

Financial institutions tend to focus on transactional security compliance,
which is unquestionably important. But bank employees are just as
vulnerable to hackers and data breaches in their day-to-day business
operations as staff at other types of companies.

For that reason, it’s important to encourage better security practices,
particularly since the BYOD trend has expanded the risks. By identifying
the most pressing vulnerabilities -- and taking steps to mitigate them --
banks can operate more safely and protect data and devices.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!